Splunk Search

Cluster Command Based on Multiple Fields

michaelsplunk1
Path Finder

Can the cluster command cluster based on more than one field? I know we can change which field to cluster by, but can we cluster by multiple fields?

Labels (1)
Tags (1)
0 Karma
1 Solution

niketn
Legend

@michaelsplunk1  you can use eval to merge the fields together and then perform cluster on the combined field. Following is a run anywhere example based on Splunk's _internal index that merges log_level and component fields and performs cluster on the combined field.

index=_internal sourcetype=splunkd
| fields log_level component
| eval merge_field=log_level."|".component
| cluster field=merge_field showcount=t t=0.5
| sort - cluster_count
| eval merge_field=split(merge_field,"|"), log_level=mvindex(merge_field,0),component=mvindex(merge_field,1)
| table log_level component cluster_count

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The documentation says

Syntax: field=<field>
Description: Name of the field to analyze in each event.
Default: _raw

The phrase "the field" implies only one field can be used.  For more than one field, try _raw

---
If this reply helps you, Karma would be appreciated.
0 Karma

niketn
Legend

@michaelsplunk1  you can use eval to merge the fields together and then perform cluster on the combined field. Following is a run anywhere example based on Splunk's _internal index that merges log_level and component fields and performs cluster on the combined field.

index=_internal sourcetype=splunkd
| fields log_level component
| eval merge_field=log_level."|".component
| cluster field=merge_field showcount=t t=0.5
| sort - cluster_count
| eval merge_field=split(merge_field,"|"), log_level=mvindex(merge_field,0),component=mvindex(merge_field,1)
| table log_level component cluster_count

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...